English

Towards a Benchmark for Dependency Decision-Making

Software Engineering 2026-02-02 v2 Cryptography and Security

Abstract

AI coding agents increasingly modify real software repositories and make dependency decisions, including adding, removing, or updating third-party packages. These choices can materially affect security posture and maintenance burden, yet repository-level evaluations largely emphasize test passing and executability without explicitly scoring whether systems (i) reuse existing dependencies, (ii) avoid unnecessary additions, or (iii) select versions that satisfy security and policy constraints. We propose DepDec-Bench, a benchmark for evaluating dependency decision-making beyond functional correctness. To ground DepDec-Bench in real-world behavior, we conduct a preliminary study of 117,062 dependency changes from agent- and human-authored pull requests across seven ecosystems. We show that coding agents frequently make dependency decisions with security consequences that remain invisible to test-focused evaluation: agents select PR-time known-vulnerable versions (2.46%) and exhibit net-negative security impact overall (net impact -98 vs. +1,316 for humans). These observations inform DepDec-Bench task families and metrics that evaluate safe version selection, reuse discipline, and restraint against dependency bloat alongside test passing.

Keywords

Cite

@article{arxiv.2601.00205,
  title  = {Towards a Benchmark for Dependency Decision-Making},
  author = {Tanmay Singla and Berk Çakar and Paschal C. Amusuo and James C. Davis},
  journal= {arXiv preprint arXiv:2601.00205},
  year   = {2026}
}

Comments

Under review at JAWS 2026. 5 pages, 1 figures, 2 tables

R2 v1 2026-07-01T08:47:38.350Z